Ensuring CIS, PCI, and HIPAA Compliance with RedLock

In just a few short years, cloud computing has literally changed the entire IT landscape. And with this paradigm shift, there has been a great upheaval in the cybersecurity world. Security vendors have rushed to overhaul their product roadmaps because their traditional data center security products lack the agility, compatibility, and scalability needed for the cloud. This has been a big win for cloud customers, as they retain control of what security they choose to implement, based on the shared responsibility model of cloud security, to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter. With these benefits, there is one consideration in that customers do not have the level of risk visibility and control previously available in the data center.

As I discussed in my previous blog post, my RedLock cofounder Gaurav Kumar and I believe that many organizations lack true visibility into cloud computing environments. We started our company to enable effective threat defense across public cloud computing environments such as Amazon Web Services (AWS). In this blog post, I explain how our new AI-driven approach provides a unified view of compliance risks by correlating disparate data sets across large, distributed AWS environments.

Unpacking the compliance challenge

Defining and implementing a security plan for your company’s workloads in the cloud is mandatory. But now that you have moved to the cloud, should you also be concerned about compliance?

Compliance is a business concern because of the ever-increasing number of regulations that require companies to be vigilant about maintaining a full understanding of their regulatory compliance requirements. For example, if your organization operates in a highly regulated industry, ensuring compliance across your public cloud computing environment is a key business requirement. Proving that your organization is abiding by industry standards, current laws, and government regulations is vital to regulators, shareholders, employees, and the public. Compliance mandates such as CIS, PCI, and HIPAA require businesses to protect, track, and control access to sensitive information.

First off, customers can rest assured knowing that, like security, AWS provides a platform that enables all customers to be compliant with regulations, but that compliance in the cloud is a shared responsibility.

The dynamic nature of the cloud makes all of this very challenging. With applications being updated daily (in some cases several times a day) and with workload configurations being constantly modified, the ability to track and control activity is very complicated. As with traditional cybersecurity, existing compliance and audit tools often fall short in the cloud. Yet, the compliance requirements remain.

Conceptually, compliance is straightforward as depicted in the following graphic. First, the right controls must be in place to ensure systems are operating according to regulation. And second, you must be able to prove those controls are working. Often, the challenge of demonstrating compliance is harder than implementing the controls. This is where RedLock comes in.

Figure 1: RedLock Shared Model

The RedLock Solution – Compliance reporting with a single click

Mapping cloud resource configurations to compliance frameworks can be challenging. RedLock enables you to monitor, auto-remediate, and report on compliance using out-of-the-box policies.

At RedLock, we break the compliance challenges into the following four areas to deliver the visibility and reporting you need to run your business, as well as the reports to satisfy your auditors.

Control Identification: The first step in assessing compliance involves mapping your specific cloud usage and resource configurations to compliance controls across the various cloud services. RedLock has done the work of mapping granular controls for common compliance standards such as CIS, PCI, and HIPAA and provides hundreds of out-of-the-box policies for Amazon Web Services.

Automatic Resource Discovery & Profiling: Due to the dynamic nature of the cloud, resources within the environment are constantly changing. RedLock automatically discovers a resource as soon as it is created and profiles it to understand which policies to assess. For example, as soon as a resource is discovered and identified to be a database, it can be assessed for controls such as encryption.

Continuous Monitoring & Remediation: Manual periodic audits are not effective for assessing the compliance posture of dynamic cloud environments. RedLock continuously monitors cloud computing resources for violations and automatically remediates issues. For example, if a database is created without encryption enabled, encryption can be automatically enabled.

Powerful Audit Reporting: In an audit, organizations are asked to prove compliance for a given time period. This poses significant challenges in public cloud computing environments where users are constantly making changes without a security review. RedLock enables you to report on your current compliance posture, and also maintains historical snapshots of your environment, enabling you to prove compliance for any past periods as well.

In the RedLock Compliance Assurance report, you get:

An executive summary of the results

Visibility into the resources scanned in the accounts for the regions that you specified.

A high-level view of how many resources passed the CIS checks, and how many failed.

The specific compliance controls that were violated. You can click on any of the violations to get more information.

This screenshot of the RedLock Compliance Assurance Report illustrates RedLock’s AI-driven approach to providing a unified view of compliance and security risks.

Figure 2: RedLock Sample Compliance Report

Ready to Get your Cloud Environment Compliant?

A specific AWS case study outlines which controls customers are responsible for, and our RedLock team is happy to show you how we work seamlessly ‘out of the box’ to help with your compliance requirements. To learn more about how RedLock can effectively ensure compliance and manage risks across your public cloud computing environment, get in touch with the Redlock team or come see us during AWS Security Week at the AWS Pop-up Loft in San Francisco.